In this episode, John Martinez sits down with EmberOT founder Jori VanAntwerp to explore the unique challenges of securing operational technology environments where downtime isn’t an option. They break down the differences between IT, OT, and IoT, and why legacy systems and segmentation play a critical role in reducing risk. Tune in for a practical look at Zero Trust in systems where cybersecurity has real-world, physical consequences.
Here is your fully cleaned transcript — nothing removed, nothing shortened, all filler removed, formatting normalized, names and “StrongDM” corrected, and structured into readable paragraphs:
This is—I don’t know if you guys have had this before—but it’s mine.
Every time that I go out to eat, like take my wife to dinner, you go up to the hostess and say, “I’d like a table for two.” And they say, “Can you give us your phone number?” My response instantly is, “I don’t have a phone.”
I can’t do it. I cannot. That’s one of my major trust issues. I’m not going to give you my name, my email address, and my phone number. I get enough spam calls.
Hey everybody.
Welcome to another episode of John Has Trust Issues, where I discuss issues relevant to the world of authorization and zero trust in a few minutes.
I’m John Martinez. I’m the technical evangelist, and I’m also a security barista. I’d love to see you on LinkedIn—talk to me about coffee—here at StrongDM.
Today I have the pleasure of having Jory Van Danor with us. Hi Jory, how’s it going?
Good, how are you?
Not too bad.
Jory is the CEO of EmberOT and an expert in critical infrastructure security, so I think we have some really cool things to talk about today. I’m thrilled to have you here, but before I ask you to introduce yourself, please tell us—what’s your trust issue?
This is—I don’t know if you guys have had this before—but it’s mine.
Every time I go out to eat, like take my wife to dinner, you go up to the hostess and say, “I’d like a table for two.” And they say, “Can you give us your phone number?” My response instantly is, “I don’t have a phone.”
I can’t do it. I cannot. That’s one of my major trust issues. I’m not going to give you my name, my email address, and my phone number. I get enough spam calls.
They’re going to find you anyway, I guess—but I get your point.
I can’t do it. They always look at me like I’m insane. I just say, “No, I don’t have a phone. I’ll stand right there and wait for you to point at me.”
I’ll channel my teenage kids—or at least that generation. “Can I have your Snap?” My kids are like, “What’s a phone number?” It’s that little app—but never mind, you don’t know what a phone looks like anymore.
At least not the classic one.
Tell the audience a little about yourself and what you do. I know you’re the CEO of your own company, so tell us about that.
Absolutely. I’m a geek at heart. I’ve taken a few steps back technically, but I still consider myself technical enough to be dangerous.
For a long time, I’ve been doing fun and interesting things—some of which could be considered gray-hat when I first started. But it led to an awesome security career.
I live in Phoenix, Arizona, and built my career around the valley, then moved into startups—all in the security world, mostly network-focused. About 12 or 13 years ago, I ran into operational technology. I’d call myself “OT curious” at the time.
As things evolved, I went fully into OT about eight years ago and have been there ever since. It’s a fascinating field. That led to creating my own company specifically to combat threats and risk in operational technology environments.
That’s a specialty. When we talked earlier, I asked, “What is OT?” You explained it really well—can you share that with the audience?
Sure. The easiest way to understand OT is technology that controls physical processes.
It could be the system that controls baggage claim at the airport, fulfillment systems like USPS or Amazon, or even something like a ceiling fan or lights. These are devices that interact with the physical world.
It’s important to differentiate between IoT and OT. IoT is internet-connected devices. OT is operational technology, which ideally isn’t internet-connected—but sometimes it is.
That’s great context.
When I first got into computers, one of the things we used to say was, “At least nobody dies from the work I do.” That’s not the case in OT, right?
It’s definitely different.
I remember thinking, “I’m not hurting anybody,” even when doing questionable things like building a keygen as a teenager.
But in the physical world, the impact is real. Even “splash damage” from IT decisions can affect OT—leading to economic impact or even loss of critical services.
That’s where it gets serious.
We wrote about attacks on water utilities—are those the kinds of environments you work with?
Yes. Water, energy, oil and gas, manufacturing, maritime—all fall under OT. These environments control physical systems.
You start to notice things like pumping stations, substations, compressor stations. They’re everywhere, but most people don’t notice them.
Same with telecom buildings—big windowless buildings full of infrastructure.
Exactly.
Let’s talk about air-gapped environments versus connected ones. How do you manage security across both?
True air-gapped environments are extremely rare—maybe a fraction of a percent. Most “air-gapped” systems actually use something like a data diode, which allows one-way communication.
The first step is understanding how the environment is structured—network segmentation, connectivity, architecture. That directly impacts risk and how you prioritize vulnerabilities.
Segmentation is one of the most important things you can do. It immediately reduces risk.
In OT environments, we often see less internet connectivity. But when systems are connected, it introduces complexity—tracking access, identifying users, understanding where traffic originates.
In OT, we often rely on jump boxes, which makes it easier to track access.
That’s reassuring.
But what about authentication and access controls?
In many OT systems, they don’t exist.
The reason is speed. These systems operate in real time—milliseconds matter. Adding authentication or encryption introduces latency, which can be dangerous.
There may be a human interface that requires login, but the devices themselves often don’t.
In some cases, you could physically access a system and change configurations without credentials.
That’s very different from IT.
It is. Traditional security controls don’t always apply. You can’t install agents, you can’t always block traffic—because blocking the wrong signal could cause harm.
So how good are teams at securing these environments?
It varies.
Large organizations with funding have excellent teams. Smaller utilities may have one person handling both IT and OT.
They may not have deep security expertise, but they focus on safety, resiliency, and efficiency—which aligns with security in a different way.
That’s where companies like EmberOT come in.
Exactly. We try to simplify things and bridge the gap between IT and OT.
I read a piece about industrial IoT—how is that different?
IIoT refers to IoT devices within OT environments. These could be robotic systems, AI-driven cameras, or monitoring systems in manufacturing.
It can also include traditional IoT devices deployed in OT networks, like badge readers or cameras.
It’s a bit of a confusing category—honestly, we could just call it all OT.
Fair enough.
How much overlap is there between IT security and OT security?
Technically, the systems are the same—networks, devices, protocols.
The difference is context.
OT systems must prioritize safety, uptime, and longevity. Some systems run for decades and can’t be easily updated.
Security decisions must consider physical impact. You can’t just add controls if they disrupt operations.
So it’s not about different technology—it’s about different priorities.
Exactly. It’s about ensuring systems remain safe and operational.
That might mean keeping air conditioning running, or ensuring a hospital has power.
The stakes are much higher.
